added option to send logs to custom 'group'

ansibleguy · Jul 22, 2023 · d427b11 · d427b11
1 parent 74f61e2
commit d427b11
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/Troubleshoot.md b/Troubleshoot.md
@@ -120,3 +120,22 @@ rule_after:
 If many rules throw this error you might have a problem with a NAT rule.
 
 It could be your kernel does not support NFTables-NATing or you try to add NAT rules to chains that don't have the type 'nat' configured.
+
+### No Logs in container
+
+This is because the logs are sent via kernel.
+
+As the container has no own kernel this will lead to the logs showing up in the 'parent' server's syslog.
+
+To work around this issue you can:
+
+1. Create a local logger daemon
+
+  ```bash
+  apt install ulogd2
+  ```
+
+2. Let NFTables send logs to `group 0`
+
+  Set the `nftables.log_group: 0`
+  Add a `group 0` after every `log prefix` in rules of type `raw`
diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
@@ -24,6 +24,8 @@ defaults_nftables:
   settings:
     purge: true  # purge all unmanaged files from /etc/nftables.d/
 
+  log_group: ''  # set to '0' for container workaround => send logs to local ulogd2 daemon
+
 defaults_table:
   type: 'inet'  # inet, ip6, ip4, arp, bridge, netdev
   chains: {}

diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py
@@ -4,7 +4,6 @@
 
 
 class FilterModule(object):
-
     def filters(self):
         return {
             "nftables_rules_translate": self.nftables_rules_translate,
@@ -43,7 +42,9 @@ def nftables_safe_name(name: str) -> str:
         return regex_replace(r'[^0-9a-zA-Z_\-]+', '', name)
 
     @classmethod
-    def _translate_rule(cls, rule: dict, config: dict, seq_keys: list):
+    def _translate_rule(
+            cls, rule: dict, config: dict, seq_keys: list, log_group: (str, int)
+    ):
         # pylint: disable=R0914,R1702,R0912,R0915
         # todo: fixes:
         #   if only protocol => add "meta l4proto" as prefix
@@ -138,6 +139,9 @@ def _translate_rule(cls, rule: dict, config: dict, seq_keys: list):
 
             translation['log prefix'] = f"log prefix {_comment}"
 
+            if log_group not in NONE_VALUES and str(log_group).isnumeric():
+                translation['log prefix'] = f"{translation['log prefix']} group {log_group}"
+
         # special cases
         if 'type' not in translation and 'code' not in translation and 'proto' in translation \
                 and translation['proto'].find('icmp') != -1 and \
@@ -166,7 +170,10 @@ def _translate_rule(cls, rule: dict, config: dict, seq_keys: list):
         return translated_rule.strip()
 
     @classmethod
-    def nftables_rules_translate(cls, raw_rules: list, translate_config: dict, sort_config: dict) -> list:
+    def nftables_rules_translate(
+            cls, raw_rules: list, translate_config: dict, sort_config: dict,
+            log_group: (str, int),
+    ) -> list:
         rules = []
 
         for rule in raw_rules:
@@ -196,6 +203,7 @@ def nftables_rules_translate(cls, raw_rules: list, translate_config: dict, sort_
                         rule=rule,
                         config=translate_config,
                         seq_keys=sort_config['fields'],
+                        log_group=log_group,
                     )
 
             if _translated in NONE_VALUES:
@@ -251,6 +259,7 @@ def nftables_merge_sort_translate_rules(
             raw_rules=rules,
             translate_config=config_hc['rules']['translate'],
             sort_config=config_hc['rules']['sort'],
+            log_group=config['log_group'],
         )
 
     @classmethod